Re: nginx + php = system() not working?
On 25/05/2024 17:51, F Bax wrote: I tried a few things with nginx not in chroot; but got permission errors. The message provided no clue as to which file/directory might be causing it; so eventually I gave up. After some brainstorming; we decided to run inside chroot; use php functions other than system() and use a cron job to do the work that is outside chroot. Now a new issue; nginx does not start during boot; yet does start manually - why? The following commands were issued immediately after boot. # cat /etc/rc.conf.local nginx_flags="" pkg_scripts=php83_fpm # /etc/rc.d/nginx start You forgot to run rcctl enable nginx so that nginx is added to the pkg_scripts= line. Only system daemons can be enabled by adding them as $daemon_flags= in /etc/rc.conf.local . Package daemons must be explicitely added to pkg_scripts= . Cheers, Noth nginx(ok) On Fri, May 17, 2024 at 10:19 AM Souji Thenria wrote: On Fri May 17, 2024 at 2:56 PM BST, F Bax wrote: > In /etc/rc.conf.local - I changed nginx_flags="-u -p /home/Testing" > (home directory of a real user). > reboot system and now browser is refused connection > This site can’t be reached 192.168.1.131 refused to connect. > Neither /var/www/logs/{access|error}.log is changed. > What else needs to change? Can you verify that nginx is running? You may have an error in your configuration. You can check the nginx configuration using nginx -t. Another issue might be that nginx is still running as www and doesn't have access to /home/Testing. Regards, Souji
Re: nginx + php = system() not working?
I tried a few things with nginx not in chroot; but got permission errors. The message provided no clue as to which file/directory might be causing it; so eventually I gave up. After some brainstorming; we decided to run inside chroot; use php functions other than system() and use a cron job to do the work that is outside chroot. Now a new issue; nginx does not start during boot; yet does start manually - why? The following commands were issued immediately after boot. # cat /etc/rc.conf.local nginx_flags="" pkg_scripts=php83_fpm # /etc/rc.d/nginx start nginx(ok) On Fri, May 17, 2024 at 10:19 AM Souji Thenria wrote: > On Fri May 17, 2024 at 2:56 PM BST, F Bax wrote: > > In /etc/rc.conf.local - I changed nginx_flags="-u -p /home/Testing" > > (home directory of a real user). > > reboot system and now browser is refused connection > > This site can’t be reached 192.168.1.131 refused to connect. > > Neither /var/www/logs/{access|error}.log is changed. > > What else needs to change? > > Can you verify that nginx is running? > You may have an error in your configuration. You can check the nginx > configuration using nginx -t. > > Another issue might be that nginx is still running as www and doesn't > have access to /home/Testing. > > Regards, > Souji >
Re: nginx + php = system() not working?
On 2024-05-17, Martijn van Duren wrote: > On Thu, 2024-05-16 at 21:58 -0400, F Bax wrote: >> I think I missed something simple? I installed 7.5 release in a VM. I then >> installed nginx and PHP 8.3.3; with pkg_add. I then ran these two commands: >> # rcctl enable php83_fpm >> # rcctl start php83_fpm >> I found an issue with php system() function; so created this simple script >> which produces "HiThere"; why is the date not presented? >> >> > echo 'Hi'; >> system( 'date' ); >> echo 'There'; >> ?> > > All the advise I've seen is horrible. chroot isn't enabled by default > without a reason (php and security have a history). > My first question would by why you need system() in the first place. > If you need the date/time, just use > https://www.php.net/manual/en/class.datetime.php. If it's just a proof > of concept be more precise in what you want to achieve and see if > there's a PHP library equivalent. If there's no reasonable way to > achieve it (which I highly doubt) I advise to copy the required binary > (and dependencies) into the chroot and make a memo to keep them up to > date. There's some information about this in PHP's pkg-readme file. -- Please keep replies on the mailing list.
Re: nginx + php = system() not working?
"Souji Thenria" wrote: > Another issue might be that nginx is still running as www and doesn't > have access to /home/Testing. As per above suggestion double check that the user by which you run nginx (usually www) has access almost by the group to to the prefix directory declared by the -p flag, and to the subfolders. (and clearly you can't manage to do that on an usr home dir..) Then you should double check your phpfpm user and group by the php-fpm.conf in the following declarations: ; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. user = www group = www -dan
Re: nginx + php = system() not working?
On Fri May 17, 2024 at 2:56 PM BST, F Bax wrote: In /etc/rc.conf.local - I changed nginx_flags="-u -p /home/Testing" (home directory of a real user). reboot system and now browser is refused connection This site can’t be reached 192.168.1.131 refused to connect. Neither /var/www/logs/{access|error}.log is changed. What else needs to change? Can you verify that nginx is running? You may have an error in your configuration. You can check the nginx configuration using nginx -t. Another issue might be that nginx is still running as www and doesn't have access to /home/Testing. Regards, Souji
Re: nginx + php = system() not working?
On Thu, 2024-05-16 at 21:58 -0400, F Bax wrote: > I think I missed something simple? I installed 7.5 release in a VM. I then > installed nginx and PHP 8.3.3; with pkg_add. I then ran these two commands: > # rcctl enable php83_fpm > # rcctl start php83_fpm > I found an issue with php system() function; so created this simple script > which produces "HiThere"; why is the date not presented? > > echo 'Hi'; > system( 'date' ); > echo 'There'; > ?> All the advise I've seen is horrible. chroot isn't enabled by default without a reason (php and security have a history). My first question would by why you need system() in the first place. If you need the date/time, just use https://www.php.net/manual/en/class.datetime.php. If it's just a proof of concept be more precise in what you want to achieve and see if there's a PHP library equivalent. If there's no reasonable way to achieve it (which I highly doubt) I advise to copy the required binary (and dependencies) into the chroot and make a memo to keep them up to date. martijn@
Re: nginx + php = system() not working?
Thanks for the tips and security warnings Mike, Souji and Dan, In php-fpm.conf - I changed "; chroot = /var/www" to comment. In /etc/rc.conf.local - I changed nginx_flags="-u -p /home/Testing" (home directory of a real user). reboot system and now browser is refused connection This site can’t be reached 192.168.1.131 refused to connect. Neither /var/www/logs/{access|error}.log is changed. /var/log/php-fpm.log show normal startup; then nothing in any /var/log/ files. [17-May-2024 09:41:59] NOTICE: fpm is running, pid 8072 [17-May-2024 09:41:59] NOTICE: ready to handle connections What else needs to change?
Re: nginx + php = system() not working?
It can even help to run nginx in "unsecure mode" if you want to stay not chrooted: nginx_flags="-u -p /home/mytests" man nginx ; while php-fpm.conf should remain with the default values ; in this case.. -dan Mike Fischer wrote: > > > Am 17.05.2024 um 03:58 schrieb F Bax : > > > > I think I missed something simple? I installed 7.5 release in a VM. > > I then installed nginx and PHP 8.3.3; with pkg_add. I then ran > > these two commands: # rcctl enable php83_fpm # rcctl start php83_fpm > > I found an issue with php system() function; so created this simple > > script which produces "HiThere"; why is the date not presented? > > > system( 'date' ); > > echo 'There'; > > ?> > > You are probably running the php83_fpm process accessed from nginx in > the default chroot(2) environment?
Re: nginx + php = system() not working?
May 17, 2024 11:30:25 Souji Thenria : > -u By default nginx will chroot(2) to the home > directory of the user running the daemon, typically > "www", or to the home directory of user in > nginx.conf. The -u option disables this behaviour, > and returns nginx to the original "unsecure" > behaviour. > > But it doesn't do it on other systems; I cross-checked with nginx > installed on a FreeBSD, where this option doesn't exist. Indeed take care about this option as I use it every day in my dev environment.. ;-)
Re: nginx + php = system() not working?
On Fri May 17, 2024 at 4:38 AM BST, Mike Fischer wrote: OpenBSD httpd would be a different situation because it runs in a chroot(2) environment by default. You can’t call on a PHP-FPM process that is not also running in the chroot(2) environment. The communication between httpd(8) and PHP-FPM fails due to differing opinions about the root of the filesystem when applied to the paths passed from httpd to PHP-FPM. At least I have not managed to get this to work. But AFAIK nginx does not run chroot(2)ed by default. So PHP-FPM does not need to either. On OpenBSD, nginx chroots its process by default. Here is a snippet from the man page nginx(8). -u By default nginx will chroot(2) to the home directory of the user running the daemon, typically "www", or to the home directory of user in nginx.conf. The -u option disables this behaviour, and returns nginx to the original "unsecure" behaviour. But it doesn't do it on other systems; I cross-checked with nginx installed on a FreeBSD, where this option doesn't exist. Since nginx and php_fpm chroot their processes to the same directory (if not changed), nginx should be able to write to the php_fpm socket.
Re: nginx + php = system() not working?
> Am 17.05.2024 um 03:58 schrieb F Bax : > > I think I missed something simple? I installed 7.5 release in a VM. I then > installed nginx and PHP 8.3.3; with pkg_add. I then ran these two commands: > # rcctl enable php83_fpm > # rcctl start php83_fpm > I found an issue with php system() function; so created this simple script > which produces "HiThere"; why is the date not presented? >echo 'Hi'; > system( 'date' ); > echo 'There'; > ?> You are probably running the php83_fpm process accessed from nginx in the default chroot(2) environment? If so you need to reconfigure your /etc/php-fpm.conf to not use chroot(2) — comment the line »chroot = /var/www« — or install /bin/date and a /bin/sh into /var/www. (Note that PHP needs a shell to execute shell commands and the date command is not present in the chroot(2) environment by default either.) Your test script works for me in Apache httpd and a php-fpm.conf without chroot(2) (in a non-public setting). So I don’t think this is related to nginx specifically. Could happen with OpenBSD httpd and PHP-FPM as well. Basically in any situation where PHP-FPM is running chroot(2)ed. OpenBSD httpd would be a different situation because it runs in a chroot(2) environment by default. You can’t call on a PHP-FPM process that is not also running in the chroot(2) environment. The communication between httpd(8) and PHP-FPM fails due to differing opinions about the root of the filesystem when applied to the paths passed from httpd to PHP-FPM. At least I have not managed to get this to work. But AFAIK nginx does not run chroot(2)ed by default. So PHP-FPM does not need to either. Note: If you need both you can configure your /etc/php-fpm.conf to spawn both chroot(2)ed and non-chroot(2)ed workers with differing sockets. I’m doing this on a machine running both OpenBSD httpd and Apache httpd with PHP based web pages. HTH Mike PS. Hopefully you are aware that running shell commands from a publicly accessible web server can lead to serious security issues? Be very careful when configuring access restrictions to the affected URLs and when constructing the UNIX commands you plan to execute.
nginx + php = system() not working?
I think I missed something simple? I installed 7.5 release in a VM. I then installed nginx and PHP 8.3.3; with pkg_add. I then ran these two commands: # rcctl enable php83_fpm # rcctl start php83_fpm I found an issue with php system() function; so created this simple script which produces "HiThere"; why is the date not presented?